More Information

There is a lot of great information about cryptography and computer security out there, both in print and on the Web. Here is a list of references that I think are particularly good or relevant for this class:

Material for "Security Overview" (week of 8/22)

Key Organizations and Standards Bodies/Sources

• NIST (National Institute of Standards and Technology)
  US Government organization defining technology standards and other useful information
  NIST has a Computer Security Division which publishes the "800-series" of publications on Computer Security. See especially:

  • SP 800-12 - An Introduction to Computer Security: The NIST Handbook
  • SP 800-21 - Guidelines for Implementing Cryptography in the Federal Government
  • SP 800-53 Rev. 3 - Recommended Security Controls for Federal Information Systems and Organizations
  • SP 800-57 - Recommendation for Key Management
  • SP 800-61 - Computer Security Incident Handling Guide

• FIPS (Federal Information Processing Standards)
  Run under the Information Technology Laboratory at NIST, publishes standards for how government systems must be run (including standard cryptographic algorithms such as AES, DSS, etc.)
  

• IETF (Internet Engineering Task Force)
  Publishes internet standards, protocol definitions (including IP, TCP, TLS, etc.), and other documents as RFCs. Non-protocol documents of particular interest include:

  • RFC 4949 - Internet Security Glossary, Version 2
  • RFC 2340 - Expectations for Computer Security Incident Response
  • RFC 2196 - Site Security Handbook
  • RFC 2504 - Users' Security Handbook

• ITU-T (International Telecommunication Union - Telecommunicaion Standardization Sector)
  Publishes the "X-series" recommendations, including

  • X.200 - Open Systems Interconnection (OSI) - Basic Reference Model
  • X.500 - OSI Directory
  • X.800 - OSI Security Architecture

Miscellaneous items from overview

• XKCD comic about realistic attacks

Designing security in

• CERT Secure Coding Standards
• Build Security In - US-CERT project to improve software assurance
• Writing Secure Code, Second Edition - Book by Michael Howard and David LeBlanc
• CWE/SANS Top 25 Most Dangerous Software Errors - very important stuff for software developers to know!

Material for "Classical Encryption Techniques" (week of 8/29)

Interesting and/or unsolved ciphers

• Slate slideshow on "Famous Unsolved Ciphers"
• The Edgar Allen Poe Cryptographic Challenge (Solved in 2000) [Link no longer works - was http://www.bokler.com/eapoe.html]

Information on classic cryptography

• Codebreakers by David Kahn is a greak book on the history of cryptography (particularly military history)
• Puzzle Baron's Cryptograms - information and online puzzles

Steganogrphy

• Good article by Gary Kessler on steganography, with examples
• Stegdetect/Outguess - detection and steganography tool from Niels Provos

Advanced Encryption Standard (AES)

• AES Standard - FIPS 197 specification
• NSA Suite B Cryptography [archive link]
• CNSSP-15 fact sheet - on the Use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information
• AES Animation - a very cool flash-based AES animation

Security Model References

• Ciphertext Indistinguishability article at Wikipedia - this is a little terse, and the models seem to assume a public key crypto model, but otherwise it's a reasonable reference

User Authentication

• The Cookie Eater Project at MIT

Hash Functions

• MD5 Collision Demo has a great overview of the vulnerability of MD5 with respect its lack of strong collision resistance. This page give not just meaningless collisions, but very practical examples of different programs with the same MD5 hash value, and different Postscript files with the same MD5 hash value.
• Wired article on X.509 certificate forgery - this was a real attack on a Certificate Authority that demonstrated how the MD5 weakness led to forged certificates.